Pirate X Pirate Private Key Leak

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Pirate X Pirate

The Pirate X Pirate NFT game suffered a breach that resulted in 212 BNB (~$83k USD) worth of funds being taken. The breach appears to be the result of a private key leak, and very limited details have been published on how the key may have leaked. The company has instead fired their development team and hired external contract auditors.

About Pirate X Pirate

[1][2][3][4][5][6]

"Pirate X Pirate is a Blockchain gaming platform with a pirate theme. It is a world where you earn through your adventures across the high seas. Recruit your crew, form your fleet, and test your prowess battling against other pirates to earn money. With your fleet, you will participate in building a pirate metaverse with its own self-contained economy."

The Reality

Uncertainty Around Developer Team

TBD - The team was later fired and replaced.

Lack Of Smart Contract Audit

TBD - Confirm that Pirate X Pirate was not audited.

What Happened

The private key of the Pirate X Pirate NFT project was used to extract a profit.

Key Event Timeline - Pirate X Pirate Private Key Leak
Date Event Description
January 20th, 2022 2:00:00 PM MST Shinchanieoalerts Interview Interview with Pirate X Pirate founding team[6].
March 8th, 2022 2:15:00 PM MST Test Transaction What appears to be a smaller test of the exploit[7]. TBD review SlowMist information[8]. This is the date that Pirate X Pirate attributes as the date of the exploit[9].
March 8th, 2022 3:51:22 PM MST Exploit Transaction The Pirate X Pirate smart contract is exploited[10]. "A purported hacker breached our $PXP/$GOLD conversion feature and was able to replicate multiple instances of $PXP conversion before selling off, between 21:13–21:14 UTC, a total of $PXP 9,681,000 which is accounted to 0.9681% of the total supply."[9]
March 9th, 2022 1:27:00 AM MST BlockSecTeam Twitter Thread The BlockSecTeam posts an analysis of the exploit on Twitter, suspecting that the private keys of the team have been breached[11].
March 9th, 2022 8:20:00 AM MST Sincerest Apologies Pirate X Pirate tweets promising their sincerest apologies for the recent hacking event[12] and provided a more detailed plan on their Medium[9]. TBD review Medium.
March 10th, 2022 4:00:00 PM MST Web3IsGoingGreat The Web3IsGoingGreat picks up the story and shares an article on the situation[13][14]. TBD story has changed over time?
March 11th, 2022 10:03:23 PM MST QuillAudits Includes Summary QuillAudits reports that PirateX experienced an attack where users' deposited tokens were redirected to an external account. However, when users withdrew their tokens, the funds were returned to them through the smart contract's Transferfrom function. The attacker managed to profit 212 BNB through this exploit[15].
March 15th, 2022 5:21:00 AM MDT Community Thank You Pirate X Pirate releases "[a] hearty thank to all of you who stay on board with us"[16] and provide a link to a Medium article with the schedule going forward[17]. TBD details from Medium.
June 9th, 2022 6:36:55 AM MDT Shared On Reddit With Audit A post about Pirate X Pirate is shared on Reddit, emphasizing the protocol being audited by Hacken[18].

Technical Details

"The pledge contract of the NFT adventure game Pirate X was attacked. When users deposit their PXP tokens into this contract, their tokens will be transferred to an EOA account. When the user withdraws the tokens, the contract will call "Transferfrom" to transfer these funds back."

"The staking contract of Pirate X @PXPNFTsGame has been attacked. We suspect it's due to the private key leakage (since the attacker leveraged a valid signed message to launch the attack)." "The staking contract of Pirate X Pirate was attacked by an attacker, resulting in the loss of the PXP token. When user deposit their PXP token into this contract, their token will be transferred into an EOA account. The contract will call `Transferfrom` to transfer these funds back when user withdraw their tokens. When users withdraw their funds, they will submit a signature signed by a singer controlled by the project. The attacker provided a valid sign of the external signer and withdraw 9,681,000 PXP tokens."

BlockSecTeam Report

The BlockSetTeam reported about the situation on Twitter[11].

1/5) The staking contract of Pirate X @PXPNFTsGame has been attacked. We suspect it's due to the private key leakage (since the attacker leveraged a valid signed message to launch the attack).

2/5) The staking contract of Pirate X Pirate (0x6912B19401913F1bd5020b3f59EE986c5792DA54) was attacked by an attacker, resulting in the loss of the PXP token.

3/5) When user deposit their PXP token into this contract, their token will be transferred into an EOA account (0x3b74a9cb5f1399b4a5a02559e67da37d450067b7). The contract will call `Transferfrom` to transfer these funds back when user withdraw their tokens.

4/5) When users withdraw their funds, they will submit a signature signed by a singer controlled by the project. The attacker provided a valid sign of the external signer (0x7435e0e4c4d10988e8821dc4853d1db2eceb176d) and withdraw 9,681,000 PXP tokens.

5/5) The attacker dumped these tokens into the market, got a profit of about 212 BNB.

Total Amount Lost

The total amount lost has been estimated at $83,000 USD.

[19]

Pirate X Pirate Smart Contract: [3] Staking Contract: [4] EOA Account: [5]

212 BNB[15]

"A purported hacker breached our $PXP/$GOLD conversion feature and was able to replicate multiple instances of $PXP conversion before selling off, between 21:13–21:14 UTC, a total of $PXP 9,681,000 which is accounted to 0.9681% of the total supply."

"The attacker [sold off] more than 9.6 million $PXP" "The attackers put these tokens on the market and made a profit of about 212 BNB."


How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

Announcement By Pirate X Pirate Team

"A purported hacker breached our $PXP/$GOLD conversion feature and was able to replicate multiple instances of $PXP conversion before selling off, between 21:13–21:14 UTC, a total of $PXP 9,681,000 which is accounted to 0.9681% of the total supply."

"The attacker [sold off] more than 9.6 million $PXP" "The attackers put these tokens on the market and made a profit of about 212 BNB."

"PXP Team has bought back the total of $PXP 9,681,000 which will be returned to the reward pool." "We have decided to dismiss our current developer team and are currently in the process of recruiting a new team to assume the responsibilities."

"To ensure the security of the system and prevent such issue from happening again, we need to temporarily close the conversion feature and have the game codes reviewed by a trusted auditor. We are currently contacting an auditor and will keep you posted once the discussion concluded."

Sincerest Apologies

The Pirate X Pirate team acknowledged the exploit on Twitter and offered their sincerest apologies to those affected[12]. This linked to a more detailed medium post[9].

Our sincerest apologies for the hacking incident. The PXP Statement Regarding the Hacking Incident and Remedies is attached below.

Please accept our sincere apologies for the hacking incident recently taking place at 21:13 UTC. A purported hacker breached our $PXP/$GOLD conversion feature and was able to replicate multiple instances of $PXP conversion before selling off, between 21:13–21:14 UTC, a total of $PXP 9,681,000 which is accounted to 0.9681% of the total supply.

Initially, PXP Team is implementing remedial measures as follows:

PXP Team has bought back the total of $PXP 9,681,000 which will be returned to the reward pool.

Such attack could happen due to the team’s utter carelessness to launch the conversion feature despite of its vulnerability. We deeply regret bypassing the inspection that should have been done by a white hat hacker as we intended to roll out the feature long-suspended as fast as we could. We have decided to dismiss our current developer team and are currently in the process of recruiting a new team to assume the responsibilities.

To ensure the security of the system and prevent such issue from happening again, we need to temporarily close the conversion feature and have the game codes reviewed by a trusted auditor. We are currently contacting an auditor and will keep you posted once the discussion concluded.

Finally, PXP Team is truly sorry for the mistakes that caused an uproar among our valued community. You will be informed about the updated plans soon.

Web3IsGoingGreat

Web3IsGoingGreat picked up and ran an article on the situation[13][14].

The Pirate X Pirate blockchain gaming platform was exploited, with an attacker selling of more than 9.6 million $PXP. They were able to dump the tokens into the market for a profit of around 212 BNB ($78,000). In a blog post following the incident, Pirate X Pirate wrote, "Such attack could happen due to the team's utter carelessness to launch the conversion feature despite of its vulnerability. We deeply regret bypassing the inspection that should have been done by a white hat hacker as we intended to roll out the feature long-suspended as fast as we could. We have decided to dismiss our current developer team and are currently in the process of recruiting a new team to assume the responsibilities." They also announced that they had bought back the total $PXP that were stolen, and would be undergoing an audit.

Ultimate Outcome

"The past week has been quite harsh following the hacking incident we wish had never happened. We really appreciate the support from all of you who have faith in us and continue on the journey with PXP. Our main focus now is to relaunch the token conversion system as fast and secure as possible. Immediately after our announcement about the incident, we proceeded to have the codes audited and consulted with the auditing party about the time required for their processes. We were informed that it would take at least 20 business days to complete the task, in other words, a whole calendar month."

"The estimated downtime was too long for us to consider the best option given our situation. We finally reached a conclusion to implement our contingency plan that would provide the most secure yet readily available solution in the meantime; The Withdrawal System will require you to submit a withdrawal request (converting $GOLD to $PXP) which will be verified and approved within 24 hours. Once approved, $PXP will be sent to your wallet. Players no longer need to pay gas fees for withdrawal. Players cannot convert $PXP to $GOLD for the time being."

"A hearty thank to all of you who stay on board with us."


A Hearty Thank You

Pirate X Pirate ultimately released a Tweet thanking their community and announcing their plans for the future[16][17].

Dear all Pirate Mateys,

A hearty thank to all of you who stay on board with us. After the hacking incident, we have re-planned our schedules. Check out our new updates regarding the new withdrawal system and other features

The past week has been quite harsh following the hacking incident we wish had never happened. We really appreciate the support from all of you who have faith in us and continue on the journey with PXP. Our main focus now is to relaunch the token conversion system as fast and secure as possible. Immediately after our announcement about the incident, we proceeded to have the codes audited and consulted with the auditing party about the time required for their processes. We were informed that it would take at least 20 business days to complete the task, in other words, a whole calendar month.

Third Party Reports

[15]

[18]

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

Ongoing Developments

TBD

Individual Prevention Policies

The Pirate X Pirate smart contract should have been thoroughly audited and funds should have been under the control of a sufficiently strong multi-signature wallet. Users have a responsibility to exercise stronger diligence when using decentralized applications. More information should be requested from platforms.

Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

The primary issue here is that control over the smart contract needs to be in a multi-signature arrangement, to prevent a single individual being exploited or acting maliciously. All key holders also need to be trained on how to properly protect their key.

All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.

Platforms will likely benefit from having a third party check over their setup and understanding.

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

An industry insurance fund can assist with assessing validators and in the event of further issues.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

This issue could have been prevented by ensuring that authority was under multi-signature control, and that all operators were aware of the proper procedures to safeguard their private keys.

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

The insurance system is important, both to incentivize the selection of competent validators and to handle events which are unforeseen.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. https://piratexpirate.io/ (Mar 17, 2022)
  2. Pirate X Pirate( PXP ) info, Pirate X Pirate( PXP ) chart, market cap, and price | TheBitTimes.Com (Mar 18, 2022)
  3. 3.0 3.1 Pirate X Pirate Smart Contract - BscScan (Mar 18, 2022)
  4. 4.0 4.1 Pirate X Pirate Staking Contract - BscScan (Mar 18, 2022)
  5. 5.0 5.1 Pirate X Pirate EOA Account - BSCScan (Mar 18, 2022)
  6. 6.0 6.1 Pirate X Pirate Ama Summary Recap With Shin Chan Community - Shinchanieoalerts (Mar 18, 2022)
  7. Smaller Test Exploit Transaction - BscScan (Mar 18, 2022)
  8. SlowMist Hacked - SlowMist Zone Archive April 25th, 2023 4:15:49 PM MDT (Jun 26, 2021)
  9. 9.0 9.1 9.2 9.3 PXP Statement Regarding the Hacking Incident and Remedies - Pirate X Pirate Medium (Mar 18, 2022)
  10. Pirate X Pirate Exploit Transaction - BscScan (Mar 18, 2022)
  11. 11.0 11.1 BlockSecTeam - "The staking contract of Pirate X @PXPNFTsGame has been attacked. We suspect it's due to the private key leakage (since the attacker leveraged a valid signed message to launch the attack)." - Twitter (Mar 18, 2022)
  12. 12.0 12.1 PXPNFTsGame - "Our sincerest apologies for the hacking incident. The PXP Statement Regarding the Hacking Incident and Remedies is attached below." - Twitter (Mar 18, 2022)
  13. 13.0 13.1 Pirate X Pirate blockchain gaming platform exploited, blames its team's "utter carelessness" - Web3IsGoingGreat (Mar 18, 2022)
  14. 14.0 14.1 web3isgreat - "A trader ends up owing $3600 after an exchange mistakenly deposits 10 Bitcoin in their account" - Twitter (Apr 25, 2023)
  15. 15.0 15.1 15.2 Fantom Based Protocol Fantasm Suffers 2 6m Exploit - QuillAudits (Mar 17, 2022)
  16. 16.0 16.1 PXPNFTsGame - "A hearty thank to all of you who stay on board with us. After the hacking incident, we have re-planned our schedules." - Twitter (Mar 18, 2022)
  17. 17.0 17.1 Withdrawal System and March Update Plans - Pirate X Pirate Medium (Mar 18, 2022)
  18. 18.0 18.1 epuril - "Pirate X Pirate | Audited by Hacken | Pirate based P2E/P2P NFT Game |NFT Marketplace LIVE! | From the creators of Biggest Siam Board Games (Thailand) | 0% Buy/SellTax| CEX listing incoming |Alot of Future Partnerships Coming | Players earning dollars daily!" - Reddit (Jul 7, 2023)
  19. https://coinmarketcap.com/currencies/bnb/historical-data/ (Feb 15, 2022)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Pirate_X_Pirate_Private_Key_Leak&oldid=4780"